[Freeipa-devel] [freeipa PR#926][closed] test_caless: remove xfail in wildcard certificate tests

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/926
Author: Rezney
 Title: #926: test_caless: remove xfail in wildcard certificate tests
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/926/head:pr926
git checkout pr926
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#922][closed] logging: make sure logging level is set to proper value

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/922
Author: tomaskrizek
 Title: #922: logging: make sure logging level is set to proper value
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/922/head:pr922
git checkout pr922
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#928][closed] WebUI: fix jslint error

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/928
Author: pvomacka
 Title: #928: WebUI: fix jslint error
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/928/head:pr928
git checkout pr928
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#911][closed] WebUI: fix for negative number in pagination size settings

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/911
Author: pvomacka
 Title: #911: WebUI: fix for negative number in pagination size settings
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/911/head:pr911
git checkout pr911
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#915][opened] [master only] Move tmpfiles.d configuration handling back to spec file

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/915
Author: martbab
 Title: #915: [master only] Move tmpfiles.d configuration handling back to spec 
file
Action: opened

PR body:
"""
Since ipaapi user is now created during RPM install and not in runtime,
we may switch back to shipping tmpfiles.d configuration directly in RPMs
and not create it in runtime, which is a preferred way to handle drop-in
configuration anyway.

This also means that the drop-in config will be shipped in /usr/lib
instead of /etc according to Fedora packaging guidelines.

This partially reverts commit 38c66896de1769077cd5b057133606ec5eeaf62b.

https://pagure.io/freeipa/issue/7053
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/915/head:pr915
git checkout pr915
From cd76bf8b30e13b56548c0a1b2153f4f775d0ea5d Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Tue, 11 Jul 2017 14:10:28 +0200
Subject: [PATCH] Move tmpfiles.d configuration handling back to spec file

Since ipaapi user is now created during RPM install and not in runtime,
we may switch back to shipping tmpfiles.d configuration directly in RPMs
and not create it in runtime, which is a preferred way to handle drop-in
configuration anyway.

This also means that the drop-in config will be shipped in /usr/lib
instead of /etc according to Fedora packaging guidelines.

This partially reverts commit 38c66896de1769077cd5b057133606ec5eeaf62b.

https://pagure.io/freeipa/issue/7053
---
 configure.ac   |  1 +
 freeipa.spec.in|  3 ++-
 init/Makefile.am   |  2 +-
 init/tmpfilesd/Makefile.am | 20 
 init/tmpfilesd/ipa.conf.in |  3 +++
 install/share/Makefile.am  |  1 -
 install/share/ipa.conf.tmpfiles|  2 --
 ipaplatform/base/paths.py  |  1 -
 ipaplatform/base/tasks.py  |  8 
 ipaplatform/redhat/tasks.py| 21 -
 ipaserver/install/server/install.py| 10 --
 ipaserver/install/server/replicainstall.py |  3 ---
 ipaserver/install/server/upgrade.py|  4 
 13 files changed, 27 insertions(+), 52 deletions(-)
 create mode 100644 init/tmpfilesd/Makefile.am
 create mode 100644 init/tmpfilesd/ipa.conf.in
 delete mode 100644 install/share/ipa.conf.tmpfiles

diff --git a/configure.ac b/configure.ac
index c43759c5bb..f098eb1dac 100644
--- a/configure.ac
+++ b/configure.ac
@@ -558,6 +558,7 @@ AC_CONFIG_FILES([
 daemons/ipa-slapi-plugins/ipa-range-check/Makefile
 daemons/ipa-slapi-plugins/topology/Makefile
 init/systemd/Makefile
+init/tmpfilesd/Makefile
 init/Makefile
 install/Makefile
 install/certmonger/Makefile
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 72ce4ccc2c..1073987e98 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1321,6 +1321,8 @@ fi
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
 %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf
+# NOTE: systemd specific section
+%{_tmpfilesdir}/ipa.conf
 %attr(644,root,root) %{_unitdir}/ipa-custodia.service
 %ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf
 # END
@@ -1330,7 +1332,6 @@ fi
 %{_usr}/share/ipa/*.ldif
 %{_usr}/share/ipa/*.uldif
 %{_usr}/share/ipa/*.template
-%{_usr}/share/ipa/ipa.conf.tmpfiles
 %dir %{_usr}/share/ipa/advise
 %dir %{_usr}/share/ipa/advise/legacy
 %{_usr}/share/ipa/advise/legacy/*.template
diff --git a/init/Makefile.am b/init/Makefile.am
index bee4243912..8f4d1d0a8f 100644
--- a/init/Makefile.am
+++ b/init/Makefile.am
@@ -2,7 +2,7 @@
 #
 AUTOMAKE_OPTIONS = 1.7
 
-SUBDIRS = systemd
+SUBDIRS = systemd tmpfilesd
 
 dist_sysconfenv_DATA = 		\
 	ipa-dnskeysyncd		\
diff --git a/init/tmpfilesd/Makefile.am b/init/tmpfilesd/Makefile.am
new file mode 100644
index 00..7db2e9e0cd
--- /dev/null
+++ b/init/tmpfilesd/Makefile.am
@@ -0,0 +1,20 @@
+dist_noinst_DATA = \
+	ipa.conf.in
+
+systemdtmpfiles_DATA = \
+	ipa.conf
+
+CLEANFILES = $(systemdtmpfiles_DATA)
+
+%: %.in Makefile
+	sed -e 's|@localstatedir[@]|$(localstatedir)|g' '$(srcdir)/$@.in' >$@
+
+# create empty directories as needed
+# DESTDIR might not be set, in that case default to system root
+DESTDIR ?= /
+install-data-hook:
+	for conf in $(systemdtmpfiles_DATA); do \
+		systemd-tmpfiles --remove --create --boot   \
+--root $(DESTDIR)   \
+$(DESTDIR)$(systemdtmpfilesdir)/$${conf} || :;  \
+	done
diff --git a/init/tmpfilesd/ipa.conf.in b/init/tmpfilesd/ipa.conf.in
new file mode 100644
index 00..750e808edb
--- /dev/null
+++ b/init/tmpfilesd/ipa.conf.in
@@ -0,0 +1,3 @@
+d @localstatedir@/run/ipa 0711 root root
+d @localstatedir@/run/ipa/ccaches 0770 ipaapi ipaapi
+
diff --git 

[Freeipa-devel] [freeipa PR#912][opened] [4-5 only] replica install: drop-in IPA specific config to tmpfiles.d

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/912
Author: martbab
 Title: #912: [4-5 only] replica install: drop-in IPA specific config to 
tmpfiles.d
Action: opened

PR body:
"""
While server installation and upgrade code configures the IPA specific
tmpfiles location and creates relevant directories, the replica
installer code path is covered incompletely and one step is missing.

https://pagure.io/freeipa/issue/7053
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/912/head:pr912
git checkout pr912
From d8933ead6569c71be606683d568664637c19a722 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Tue, 11 Jul 2017 12:41:38 +0200
Subject: [PATCH] replica install: drop-in IPA specific config to tmpfiles.d

While server installation and upgrade code configures the IPA specific
tmpfiles location and creates relevant directories, the replica
installer code path is covered incompletely and one step is missing.

https://pagure.io/freeipa/issue/7053
---
 ipaserver/install/server/replicainstall.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 4f28de25bd..814925de15 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1515,6 +1515,9 @@ def install(installer):
 # remove the extracted replica file
 remove_replica_info_dir(installer)
 
+# Make sure the files we crated in /var/run are recreated at startup
+tasks.configure_tmpfiles()
+
 # Everything installed properly, activate ipa service.
 services.knownservices.ipa.enable()
 
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#623][closed] client install: do not assume /etc/krb5.conf.d exists

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/623
Author: HonzaCholasta
 Title: #623: client install: do not assume /etc/krb5.conf.d exists
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/623/head:pr623
git checkout pr623
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#893][opened] smard card advises fixes + general improvements

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/893
Author: martbab
 Title: #893: smard card advises fixes + general improvements
Action: opened

PR body:
"""
Add some missing operations to the client/server smart card advises and fix
issues. Also provide more transparent generators of Bash control flow branches
and loops.

https://pagure.io/freeipa/issue/7036
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/893/head:pr893
git checkout pr893
From d50a6278ab151e0facda48a64006a48507ec6e25 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 21 Jun 2017 18:28:50 +0200
Subject: [PATCH 01/11] smart-card advise: configure systemwide NSS DB also on
 master

Previously the Smart card signing CA cert was uploaded to systemwide NSS
DB only on the client, but it need to be added also to the server.
Modify the advise plugins to allow for common configuration steps to
occur in both cases.

https://pagure.io/freeipa/issue/7036
---
 ipaserver/advise/plugins/smart_card_auth.py | 59 +
 1 file changed, 35 insertions(+), 24 deletions(-)

diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
index 5859e35093..0ee4808d47 100644
--- a/ipaserver/advise/plugins/smart_card_auth.py
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -10,8 +10,39 @@
 register = Registry()
 
 
+class common_smart_card_auth_config(Advice):
+"""
+Common steps required to properly configure both server and client for
+smart card auth
+"""
+
+systemwide_nssdb = paths.NSS_DB_DIR
+smart_card_ca_cert_variable_name = "SC_CA_CERT"
+
+def check_and_set_ca_cert_path(self):
+ca_path_variable = self.smart_card_ca_cert_variable_name
+self.log.command("{}=$1".format(ca_path_variable))
+self.log.exit_on_predicate(
+'[ -z "${}" ]'.format(ca_path_variable),
+['You need to provide the path to the PEM file containing CA '
+ 'signing the Smart Cards']
+)
+self.log.exit_on_predicate(
+'[ ! -f "${}" ]'.format(ca_path_variable),
+['Invalid CA certificate filename: ${}'.format(ca_path_variable),
+ 'Please check that the path exists and is a valid file']
+)
+
+def upload_smartcard_ca_certificate_to_systemwide_db(self):
+self.log.command(
+'certutil -d {} -A -i ${} -n "Smart Card CA" -t CT,C,C'.format(
+self.systemwide_nssdb, self.smart_card_ca_cert_variable_name
+)
+)
+
+
 @register()
-class config_server_for_smart_card_auth(Advice):
+class config_server_for_smart_card_auth(common_smart_card_auth_config):
 """
 Configures smart card authentication via Kerberos (PKINIT) and for WebUI
 """
@@ -28,6 +59,7 @@ class config_server_for_smart_card_auth(Advice):
 
 def get_info(self):
 self.log.exit_on_nonroot_euid()
+self.check_and_set_ca_cert_path()
 self.check_ccache_not_empty()
 self.check_hostname_is_in_masters()
 self.resolve_ipaca_records()
@@ -37,6 +69,7 @@ def get_info(self):
 self.record_httpd_ocsp_status()
 self.check_and_enable_pkinit()
 self.enable_ok_to_auth_as_delegate_on_http_principal()
+self.upload_smartcard_ca_certificate_to_systemwide_db()
 
 def check_ccache_not_empty(self):
 self.log.comment('Check whether the credential cache is not empty')
@@ -162,11 +195,10 @@ def enable_ok_to_auth_as_delegate_on_http_principal(self):
 
 
 @register()
-class config_client_for_smart_card_auth(Advice):
+class config_client_for_smart_card_auth(common_smart_card_auth_config):
 """
 Configures smart card authentication on FreeIPA client
 """
-smart_card_ca_cert_variable_name = "SC_CA_CERT"
 
 description = ("Instructions for enabling Smart Card authentication on "
" a single FreeIPA client. Configures Smart Card daemon, "
@@ -190,20 +222,6 @@ def get_info(self):
 self.run_authconfig_to_configure_smart_card_auth()
 self.restart_sssd()
 
-def check_and_set_ca_cert_path(self):
-ca_path_variable = self.smart_card_ca_cert_variable_name
-self.log.command("{}=$1".format(ca_path_variable))
-self.log.exit_on_predicate(
-'[ -z "${}" ]'.format(ca_path_variable),
-['You need to provide the path to the PEM file containing CA '
- 'signing the Smart Cards']
-)
-self.log.exit_on_predicate(
-'[ ! -f "${}" ]'.format(ca_path_variable),
-['Invalid CA certificate filename: ${}'.format(ca_path_variable),
- 'Please check that the path exists and is a valid file']
-)
-
 def check_and_remove_pam_pkcs11(self):
 self.log.command('rpm -qi pam_pkcs11 > /dev/null')
 self.log.commands_on_predicate(
@@ -247,13 +265,6 @@ def 

[Freeipa-devel] [freeipa PR#876][closed] python-netifaces: update to reflect upstream changes

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/876
Author: MartinBasti
 Title: #876: python-netifaces: update to reflect upstream changes
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/876/head:pr876
git checkout pr876
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#873][comment] kra: promote: Get ticket before attempting to get KRA keys with custodia

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/873
Title: #873: kra: promote: Get ticket before attempting to get KRA keys with 
custodia

martbab commented:
"""
master:

* 342f72140f9bd8b8db19f469ae4c56cac7492901 kra: promote: Get ticket before 
calling custodia


ipa-4-5:

* 15076a1c2b0fb31dce3903e5f50cab9edf68ad07 kra: promote: Get ticket before 
calling custodia


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/873#issuecomment-308661144
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#701][+pushed] ipa help doesn't always work

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/701
Title: #701: ipa help doesn't always work

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#867][+pushed] trust-mod: allow modifying list of UPNs of a trusted forest

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/867
Title: #867: trust-mod: allow modifying list of UPNs of a trusted forest

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#867][comment] trust-mod: allow modifying list of UPNs of a trusted forest

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/867
Title: #867: trust-mod: allow modifying list of UPNs of a trusted forest

martbab commented:
"""
Nevermind I fixed this for @abbra. Let's wait for Travis and then we can push 
it.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/867#issuecomment-308434278
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#867][synchronized] trust-mod: allow modifying list of UPNs of a trusted forest

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/867
Author: abbra
 Title: #867: trust-mod: allow modifying list of UPNs of a trusted forest
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/867/head:pr867
git checkout pr867
From 2cd8af5201af9e2e962c4987a3b3641f3b83c982 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Mon, 12 Jun 2017 11:05:06 +0300
Subject: [PATCH] trust-mod: allow modifying list of UPNs of a trusted forest

There are two ways for maintaining user principal names (UPNs) in Active
Directory:
 - associate UPN suffixes with the forest root and then allow for each
   user account to choose UPN suffix for logon
 - directly modify userPrincipalName attribute in LDAP

Both approaches lead to the same result: AD DC accepts user@UPN-Suffix
as a proper principal in AS-REQ and TGS-REQ.

The latter (directly modify userPrincipalName) case has a consequence
that this UPN suffix is not visible via netr_DsRGetForestTrustInformation
DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN
suffix does belong to a trusted Active Directory forest. As result, SSSD
will not be able to authenticate and validate this user from a trusted
Active Directory forest.

This is especially true for one-word UPNs which otherwise wouldn't work
properly on Kerberos level for both FreeIPA and Active Directory.

Administrators are responsible for amending the list of UPNs associated
with the forest in this case. With this commit, an option is added to
'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a
trusted forest root.

As with all '-mod' commands, the change replaces existing UPNs when
applied, so administrators are responsible to specify all of them:

  ipa trust-mod ad.test --upn-suffixes={existing.upn,another_upn,new}

Fixes: https://pagure.io/freeipa/issue/7015
---
 API.txt| 3 ++-
 VERSION.m4 | 4 ++--
 ipaserver/plugins/trust.py | 3 ++-
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/API.txt b/API.txt
index 44567a22da..aabd9c0d4a 100644
--- a/API.txt
+++ b/API.txt
@@ -5772,11 +5772,12 @@ output: ListOfEntries('result')
 output: Output('summary', type=[, ])
 output: Output('truncated', type=[])
 command: trust_mod/1
-args: 1,9,3
+args: 1,10,3
 arg: Str('cn', cli_name='realm')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('delattr*', cli_name='delattr')
+option: Str('ipantadditionalsuffixes*', autofill=False, cli_name='upn_suffixes')
 option: Str('ipantsidblacklistincoming*', autofill=False, cli_name='sid_blacklist_incoming')
 option: Str('ipantsidblacklistoutgoing*', autofill=False, cli_name='sid_blacklist_outgoing')
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
diff --git a/VERSION.m4 b/VERSION.m4
index 706c243739..cc308f1e23 100644
--- a/VERSION.m4
+++ b/VERSION.m4
@@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 2010061412)
 #  #
 
 define(IPA_API_VERSION_MAJOR, 2)
-define(IPA_API_VERSION_MINOR, 227)
-# Last change: Add `pkinit-status` command
+define(IPA_API_VERSION_MINOR, 228)
+# Last change: Expose ipaNTAdditionalSuffixes in trust-mod
 
 
 
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index 075b39dcc3..d0bbfbc47c 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -553,8 +553,9 @@ class trust(LDAPObject):
 flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
 ),
 Str('ipantadditionalsuffixes*',
+cli_name='upn_suffixes',
 label=_('UPN suffixes'),
-flags={'no_create', 'no_update', 'no_search'},
+flags={'no_create', 'no_search'},
 ),
 )
 
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#867][synchronized] trust-mod: allow modifying list of UPNs of a trusted forest

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/867
Author: abbra
 Title: #867: trust-mod: allow modifying list of UPNs of a trusted forest
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/867/head:pr867
git checkout pr867
From eed383573ccad874114194e724c9ba282b2e4529 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Mon, 12 Jun 2017 11:05:06 +0300
Subject: [PATCH 1/2] trust-mod: allow modifying list of UPNs of a trusted
 forest

There are two ways for maintaining user principal names (UPNs) in Active
Directory:
 - associate UPN suffixes with the forest root and then allow for each
   user account to choose UPN suffix for logon
 - directly modify userPrincipalName attribute in LDAP

Both approaches lead to the same result: AD DC accepts user@UPN-Suffix
as a proper principal in AS-REQ and TGS-REQ.

The latter (directly modify userPrincipalName) case has a consequence
that this UPN suffix is not visible via netr_DsRGetForestTrustInformation
DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN
suffix does belong to a trusted Active Directory forest. As result, SSSD
will not be able to authenticate and validate this user from a trusted
Active Directory forest.

This is especially true for one-word UPNs which otherwise wouldn't work
properly on Kerberos level for both FreeIPA and Active Directory.

Administrators are responsible for amending the list of UPNs associated
with the forest in this case. With this commit, an option is added to
'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a
trusted forest root.

As with all '-mod' commands, the change replaces existing UPNs when
applied, so administrators are responsible to specify all of them:

  ipa trust-mod ad.test --upns={existing.upn,another_upn,new}

Fixes: https://pagure.io/freeipa/issue/7015
---
 API.txt| 3 ++-
 VERSION.m4 | 4 ++--
 ipaserver/plugins/trust.py | 3 ++-
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/API.txt b/API.txt
index 44567a22da..4930b0d6b2 100644
--- a/API.txt
+++ b/API.txt
@@ -5772,11 +5772,12 @@ output: ListOfEntries('result')
 output: Output('summary', type=[, ])
 output: Output('truncated', type=[])
 command: trust_mod/1
-args: 1,9,3
+args: 1,10,3
 arg: Str('cn', cli_name='realm')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('delattr*', cli_name='delattr')
+option: Str('ipantadditionalsuffixes*', autofill=False, cli_name='upns')
 option: Str('ipantsidblacklistincoming*', autofill=False, cli_name='sid_blacklist_incoming')
 option: Str('ipantsidblacklistoutgoing*', autofill=False, cli_name='sid_blacklist_outgoing')
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
diff --git a/VERSION.m4 b/VERSION.m4
index 706c243739..cc308f1e23 100644
--- a/VERSION.m4
+++ b/VERSION.m4
@@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 2010061412)
 #  #
 
 define(IPA_API_VERSION_MAJOR, 2)
-define(IPA_API_VERSION_MINOR, 227)
-# Last change: Add `pkinit-status` command
+define(IPA_API_VERSION_MINOR, 228)
+# Last change: Expose ipaNTAdditionalSuffixes in trust-mod
 
 
 
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index 075b39dcc3..310634904e 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -553,8 +553,9 @@ class trust(LDAPObject):
 flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
 ),
 Str('ipantadditionalsuffixes*',
+cli_name='upns',
 label=_('UPN suffixes'),
-flags={'no_create', 'no_update', 'no_search'},
+flags={'no_create', 'no_search'},
 ),
 )
 

From 78e0a8f1fb352b2db54ec220646505c914c0760d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Mon, 12 Jun 2017 11:05:06 +0300
Subject: [PATCH 2/2] trust-mod: allow modifying list of UPNs of a trusted
 forest

There are two ways for maintaining user principal names (UPNs) in Active
Directory:
 - associate UPN suffixes with the forest root and then allow for each
   user account to choose UPN suffix for logon
 - directly modify userPrincipalName attribute in LDAP

Both approaches lead to the same result: AD DC accepts user@UPN-Suffix
as a proper principal in AS-REQ and TGS-REQ.

The latter (directly modify userPrincipalName) case has a consequence
that this UPN suffix is not visible via netr_DsRGetForestTrustInformation
DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN
suffix does belong to a trusted Active Directory forest. As result, SSSD
will not be able to authenticate and validate this user from a trusted
Active Directory forest.

This is 

[Freeipa-devel] [freeipa PR#867][comment] trust-mod: allow modifying list of UPNs of a trusted forest

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/867
Title: #867: trust-mod: allow modifying list of UPNs of a trusted forest

martbab commented:
"""
LGTM, the only little nitpick I have is that the CLI option should be named 
`--upn-suffixes` as `--upns` implies that you can specify full User principal 
names which you don't. You only specify suffixes.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/867#issuecomment-308396576
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#854][closed] server-side and client-side advises for configuring smart card auth

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/854
Author: martbab
 Title: #854: server-side and client-side advises for configuring smart card 
auth
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/854/head:pr854
git checkout pr854
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth

martbab commented:
"""
master:

* 0569c02f17f853d97280f52f4a7fefecc72cf45d Extend the advice printing code by 
some useful abstractions
* e418e9a4ca747886c53d05ae80597834f1d3d021 Prepare advise plugin for smart card 
auth configuration


ipa-4-5:

* 7ea7ee4326679c098d3e4e4d6a2bc743707708ca Extend the advice printing code by 
some useful abstractions
* 84ca9761bd47f28b72581d1fe6bd8cfa824b6df3 Prepare advise plugin for smart card 
auth configuration


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/854#issuecomment-308390829
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#854][synchronized] server-side and client-side advises for configuring smart card auth

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/854
Author: martbab
 Title: #854: server-side and client-side advises for configuring smart card 
auth
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/854/head:pr854
git checkout pr854
From 1deb530a75b1031b59edb48df1e71678e4e6 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Mon, 5 Jun 2017 16:59:25 +0200
Subject: [PATCH 1/2] Extend the advice printing code by some useful
 abstractions

The advise printing code was augmented by methods that simplify
generating bash snippets that report errors or failed commands.

https://pagure.io/freeipa/issue/6982
---
 ipaserver/advise/base.py | 63 ++--
 1 file changed, 61 insertions(+), 2 deletions(-)

diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py
index 40dabd0426..ba412b8724 100644
--- a/ipaserver/advise/base.py
+++ b/ipaserver/advise/base.py
@@ -94,8 +94,67 @@ def debug(self, line):
 if self.options.verbose:
 self.comment('DEBUG: ' + line)
 
-def command(self, line):
-self.content.append(line)
+def command(self, line, indent_spaces=0):
+self.content.append(
+'{}{}'.format(self._format_indent(indent_spaces), line))
+
+def _format_indent(self, num_spaces):
+return ' ' * num_spaces
+
+def echo_error(self, error_message, indent_spaces=0):
+self.command(
+self._format_error(error_message), indent_spaces=indent_spaces)
+
+def _format_error(self, error_message):
+return 'echo "{}" >&2'.format(error_message)
+
+def exit_on_failed_command(self, command_to_run,
+   error_message_lines, indent_spaces=0):
+self.command(command_to_run, indent_spaces=indent_spaces)
+self.exit_on_predicate(
+'[ "$?" -ne "0" ]',
+error_message_lines,
+indent_spaces=indent_spaces)
+
+def exit_on_nonroot_euid(self):
+self.exit_on_predicate(
+'[ "$(id -u)" -ne "0" ]',
+["This script has to be run as root user"]
+)
+
+def exit_on_predicate(self, predicate, error_message_lines,
+  indent_spaces=0):
+commands_to_run = [
+self._format_error(error_message_line)
+for error_message_line in error_message_lines]
+
+commands_to_run.append('exit 1')
+self.commands_on_predicate(
+predicate,
+commands_to_run,
+indent_spaces=indent_spaces)
+
+def commands_on_predicate(self, predicate, commands_to_run_when_true,
+  commands_to_run_when_false=None,
+  indent_spaces=0):
+if_command = 'if {}'.format(predicate)
+self.command(if_command, indent_spaces=indent_spaces)
+self.command('then', indent_spaces=indent_spaces)
+
+indented_block_spaces = indent_spaces + 2
+
+for command_to_run_when_true in commands_to_run_when_true:
+self.command(
+command_to_run_when_true, indent_spaces=indented_block_spaces)
+
+if commands_to_run_when_false is not None:
+self.command("else", indent_spaces=indent_spaces)
+for command_to_run_when_false in commands_to_run_when_false:
+self.command(
+command_to_run_when_false,
+indent_spaces=indented_block_spaces)
+
+self.command('fi', indent_spaces=indent_spaces)
 
 
 class Advice(Plugin):

From b4d4fe048ee4c7c03d69283b92010e18c3e88056 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 2 Jun 2017 18:36:29 +0200
Subject: [PATCH 2/2] Prepare advise plugin for smart card auth configuration

The plugin contains recipes for configuring Smart Card authentication
on FreeIPA server and enrolled client.

https://www.freeipa.org/page/V4/Smartcard_authentication_ipa-advise_recipes
https://pagure.io/freeipa/issue/6982
---
 ipaserver/advise/plugins/smart_card_auth.py | 266 
 1 file changed, 266 insertions(+)
 create mode 100644 ipaserver/advise/plugins/smart_card_auth.py

diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
new file mode 100644
index 00..5859e35093
--- /dev/null
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -0,0 +1,266 @@
+#
+# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
+#
+
+from ipalib.plugable import Registry
+from ipaplatform.paths import paths
+from ipaserver.advise.base import Advice
+from ipaserver.install.httpinstance import NSS_OCSP_ENABLED
+
+register = Registry()
+
+
+@register()
+class config_server_for_smart_card_auth(Advice):
+"""
+Configures smart card authentication via Kerberos (PKINIT) and for WebUI
+"""
+
+description = ("Instructions for 

[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth

martbab commented:
"""
Also I get the following error when running authconfig:

```console
authconfig: Authentication module /lib64/security/pam_pkcs11.so is missing. 
Authentication process might not work correctly.
```

It is understandable, since I have removed pam_pkcs11 package as per 
documentation, but it still puzzles me.

It may be that I have an old version of authconfig, as I am developing this on 
F25 where I have authconfig-6.2.10-14.fc25.x86_64.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/854#issuecomment-307427676
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#849][+pushed] session_storage: Correctly handle string/byte types

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/849
Title: #849: session_storage: Correctly handle string/byte types

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#849][closed] session_storage: Correctly handle string/byte types

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/849
Author: stlaz
 Title: #849: session_storage: Correctly handle string/byte types
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/849/head:pr849
git checkout pr849
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#849][comment] session_storage: Correctly handle string/byte types

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/849
Title: #849: session_storage: Correctly handle string/byte types

martbab commented:
"""
master:

* d665224a85610cccbe7d291e9ed41d2ce7e5b61c session_storage: Correctly handle 
string/byte types


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/849#issuecomment-307413021
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#840][comment] Add Role 'Enrollment Administrator'

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/840
Title: #840: Add Role 'Enrollment Administrator'

martbab commented:
"""
master:

* 468eb3c712140399ed2ec346ff4356bffd590e09 Add Role 'Enrollment Administrator'


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/840#issuecomment-307407213
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#838][closed] Explicitly ask for py2 dependencies in py2 packages

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/838
Author: MartinBasti
 Title: #838: Explicitly ask for py2 dependencies in py2 packages
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/838/head:pr838
git checkout pr838
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth

martbab commented:
"""
@flo ah sorry I missed that. I will incorporate it into advise then.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/854#issuecomment-307360499
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth

martbab commented:
"""
That section[1] only instructs to configure `pam_cert_auth=true` in the SSSD's 
`pam` section which is already done on both server and client, see 
`enable_pam_auth_in_sssd` method. Am I missing something? 

[1] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/idm-smart-cards.html
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/854#issuecomment-307358447
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#854][comment] RFC: server-side smart card auth advise plugin

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: RFC: server-side smart card auth advise plugin

martbab commented:
"""
@flo thanks for your input, I will rework the PR tomorrow.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/854#issuecomment-306811993
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#852][+pushed] pkinit manage: introduce ipa-pkinit-manage

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/852
Title: #852: pkinit manage: introduce ipa-pkinit-manage

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#847][comment] Turn off OCSP check

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/847
Title: #847: Turn off OCSP check

martbab commented:
"""
How did we resolve the issue of tracking nssocsp status in sysupgrade state? 
Shouldn't we record this so that we now it was disabled by our 
installer/upgrader?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/847#issuecomment-305804717
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#832][closed] Add remote_plugins subdirectories to RPM

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/832
Author: MartinBasti
 Title: #832: Add remote_plugins subdirectories to RPM
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/832/head:pr832
git checkout pr832
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#832][comment] Add remote_plugins subdirectories to RPM

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/832
Title: #832: Add remote_plugins subdirectories to RPM

martbab commented:
"""
ipa-4-5:

* 359e3f261705976229bace2d0a22546670181603 Add remote_plugins subdirectories to 
RPM


master:

* 71adc8cd3ff6d6e54f332e94bfda3ed59396de90 Add remote_plugins subdirectories to 
RPM


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/832#issuecomment-305123104
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#831][+pushed] [4.4] custodia dep: require explictly python2 version

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/831
Title: #831: [4.4] custodia dep: require explictly python2 version

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#830][+pushed] custodia dep: require explictly python2 version

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/830
Title: #830: custodia dep: require explictly python2 version

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#830][comment] custodia dep: require explictly python2 version

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/830
Title: #830: custodia dep: require explictly python2 version

martbab commented:
"""
master:

* a90a113b66fca620b04635442b135a5136ece7ba custodia dep: require explictly 
python2 version


ipa-4-5:

* 444107a00bf995aca62aba74ea02b52e577ab791 custodia dep: require explictly 
python2 version


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/830#issuecomment-305122168
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#830][closed] custodia dep: require explictly python2 version

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/830
Author: MartinBasti
 Title: #830: custodia dep: require explictly python2 version
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/830/head:pr830
git checkout pr830
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#801][+pushed] httpinstance: wait until the service entry is replicated

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/801
Title: #801: httpinstance: wait until the service entry is replicated

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#801][closed] httpinstance: wait until the service entry is replicated

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/801
Author: HonzaCholasta
 Title: #801: httpinstance: wait until the service entry is replicated
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/801/head:pr801
git checkout pr801
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#801][+ack] httpinstance: wait until the service entry is replicated

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/801
Title: #801: httpinstance: wait until the service entry is replicated

Label: +ack
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#797][comment] ipa-replica-conncheck: handle ssh not installed

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/797
Title: #797: ipa-replica-conncheck: handle ssh not installed

martbab commented:
"""
ipa-4-5:

* bacccb70a2e91efa22ee19aec9cca75bac94bd95 ipa-replica-conncheck: handle ssh 
not installed


master:

* f960450820c13284b52b4c5f420f0f1191a45619 ipa-replica-conncheck: handle ssh 
not installed


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/797#issuecomment-304832646
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#797][+pushed] ipa-replica-conncheck: handle ssh not installed

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/797
Title: #797: ipa-replica-conncheck: handle ssh not installed

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#797][closed] ipa-replica-conncheck: handle ssh not installed

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/797
Author: flo-renaud
 Title: #797: ipa-replica-conncheck: handle ssh not installed
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/797/head:pr797
git checkout pr797
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#821][synchronized] fix incorrect suffix handling in topology checks

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/821
Author: martbab
 Title: #821: fix incorrect suffix handling in topology checks
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/821/head:pr821
git checkout pr821
From 25bb509404d8111fd761ec3074e558a725c7dadd Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 26 May 2017 12:23:51 +0200
Subject: [PATCH] fix incorrect suffix handling in topology checks

When trying to delete a partially removed master entry lacking
'iparepltopomanagedsuffix' attribute, the code that tries to retrieve
tha value for further computations passes None and causes unhandled
internal errors.

If the attribute is empty or not present, we should return empty list
instead as to not break calling cod attribute, the code that tries to
retrieve tha value for further computations passes None and causes
unhandled internal errors. We should return empty list instead.

https://pagure.io/freeipa/issue/6965
---
 ipaserver/topology.py | 11 +++
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/ipaserver/topology.py b/ipaserver/topology.py
index 385da29a66..2b6b083547 100644
--- a/ipaserver/topology.py
+++ b/ipaserver/topology.py
@@ -72,12 +72,15 @@ def get_topology_connection_errors(graph):
 
 def map_masters_to_suffixes(masters):
 masters_to_suffix = {}
+managed_suffix_attr = 'iparepltopomanagedsuffix_topologysuffix'
 
 for master in masters:
-try:
-managed_suffixes = master.get(
-'iparepltopomanagedsuffix_topologysuffix')
-except KeyError:
+if managed_suffix_attr not in master:
+continue
+
+managed_suffixes = master[managed_suffix_attr]
+
+if managed_suffixes is None:
 continue
 
 for suffix_name in managed_suffixes:
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#821][comment] fix incorrect suffix handling in topology checks

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/821
Title: #821: fix incorrect suffix handling in topology checks

martbab commented:
"""
@pvoborni it shouldn't but given how our framework sometimes (mis)-behaves the 
possibility is there.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/821#issuecomment-304643335
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#817][closed] [py3] Change ConfigParser to RawConfigParser

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/817
Author: stlaz
 Title: #817: [py3] Change ConfigParser to RawConfigParser
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/817/head:pr817
git checkout pr817
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#817][comment] [py3] Change ConfigParser to RawConfigParser

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/817
Title: #817: [py3] Change ConfigParser to RawConfigParser

martbab commented:
"""
master:

* 35675ca2bbe9c044f115764a2daac45f7468be00 Change ConfigParser to 
RawConfigParser


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/817#issuecomment-304306864
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#812][comment] [WIP] Refactoring cert-find to use API call directly instead of using

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/812
Title: #812: [WIP] Refactoring cert-find to use API call directly instead of 
using

martbab commented:
"""
Remember taht you have to use 'exact=False' in the filter to perform substring 
search for krbPrincipalName given the fact that (except for services) the 
principal is constructed from primary key by appending realm (and prepending 
`host/` in the case of hosts). This, however, opens a range of possibilities 
for new bug to creep in (considering 'tuser' is the owner but we have 'tuser1' 
and 'tuser2' in LDAP, what will your search filter return?).

That's why I think this is not correct solution given we currently reference 
owners by primary keys and not by principals (krbPrincipalName != primary key 
in most cases except services without krbCanonicalName attribute). I am more 
inclined to @HonzaCholasta's solution as it seems cleaner to me. An alternative 
is to report principals as cert owners, which will break API, however.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/812#issuecomment-304304587
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#816][+pushed] only stop/disable simple service if it is installed

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/816
Title: #816: only stop/disable simple service if it is installed

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#816][comment] only stop/disable simple service if it is installed

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/816
Title: #816: only stop/disable simple service if it is installed

martbab commented:
"""
ipa-4-5:

* 6114150de20a7d8371c7383f619cd0fefe339cbf only stop/disable simple service if 
it is installed


master:

* 8b6f8ed7d47542b9bd8b7453a8a0e202ed1db97d only stop/disable simple service if 
it is installed


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/816#issuecomment-304293870
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#790][closed] RFC: API for reporting PKINIT status

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/790
Author: martbab
 Title: #790: RFC: API for reporting PKINIT status
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/790/head:pr790
git checkout pr790
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#790][comment] RFC: API for reporting PKINIT status

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/790
Title: #790: RFC: API for reporting PKINIT status

martbab commented:
"""
ipa-4-5:

* c4aa3a17694b1ad8f9c60c98a95d217c01fc736c Allow for multivalued server 
attributes
* 753f8cf3aff07d22b35005b973e8518665d1fe6f Refactor the role/attribute member 
reporting code
* fbccb748a1c85b7ed67946ba7a11a960b839bcc9 Add an attribute reporting client 
PKINIT-capable servers
* 733cef9d5b0ae8312789371689939902d257 Add the list of PKINIT servers as a 
virtual attribute to global config
* 6b815aae7174693b4952f2c60e7201d99e7b9684 Add `pkinit-status` command
* 4fa29a33765cb5d6ce86846f37766e5d3322f25f test_serverroles: Get rid of 
MockLDAP and use ldap2 instead


master:

* bddb90f38a3505a2768862d2f814c5e749a7dcde Allow for multivalued server 
attributes
* cac7e49daa04e838650548cc9162b8f117dc55b3 Refactor the role/attribute member 
reporting code
* d8bb23ac389929f28c584602e592b821e4c6ef9a Add an attribute reporting client 
PKINIT-capable servers
* f80553208e8d9f3df422f5be8e1cafa511e1b2c4 Add the list of PKINIT servers as a 
virtual attribute to global config
* 99352731b4b4bdcedfe6668ce71c1d67720ac4af Add `pkinit-status` command
* 58fd229a1dbb3f00a591de9417f36197141e26d7 test_serverroles: Get rid of 
MockLDAP and use ldap2 instead


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/790#issuecomment-304292760
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#790][+pushed] RFC: API for reporting PKINIT status

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/790
Title: #790: RFC: API for reporting PKINIT status

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#821][opened] fix incorrect suffix handling in topology checks

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/821
Author: martbab
 Title: #821: fix incorrect suffix handling in topology checks
Action: opened

PR body:
"""
When trying to delete a partially removed master entry lacking
'iparepltopomanagedsuffix' attribute, the code that tries to retrieve
tha value for further computations passes None and causes unhandled
internal errors.

If the attribute is empty or not present, we should return empty list
instead as to not break calling cod attribute, the code that tries to
retrieve tha value for further computations passes None and causes
unhandled internal errors. We should return empty list instead.

https://pagure.io/freeipa/issue/6965
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/821/head:pr821
git checkout pr821
From 7543b48870f1046067fd8adf4106bb72c6b688dc Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 26 May 2017 12:23:51 +0200
Subject: [PATCH] fix incorrect suffix handling in topology checks

When trying to delete a partially removed master entry lacking
'iparepltopomanagedsuffix' attribute, the code that tries to retrieve
tha value for further computations passes None and causes unhandled
internal errors.

If the attribute is empty or not present, we should return empty list
instead as to not break calling cod attribute, the code that tries to
retrieve tha value for further computations passes None and causes
unhandled internal errors. We should return empty list instead.

https://pagure.io/freeipa/issue/6965
---
 ipaserver/topology.py | 7 ++-
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/ipaserver/topology.py b/ipaserver/topology.py
index 385da29a66..7da68552f5 100644
--- a/ipaserver/topology.py
+++ b/ipaserver/topology.py
@@ -74,11 +74,8 @@ def map_masters_to_suffixes(masters):
 masters_to_suffix = {}
 
 for master in masters:
-try:
-managed_suffixes = master.get(
-'iparepltopomanagedsuffix_topologysuffix')
-except KeyError:
-continue
+managed_suffixes = master.get(
+'iparepltopomanagedsuffix_topologysuffix', [])
 
 for suffix_name in managed_suffixes:
 try:
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#820][synchronized] Amend some regressions in backup/restore tests

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/820
Author: martbab
 Title: #820: Amend some regressions in backup/restore tests
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/820/head:pr820
git checkout pr820
From 131208291ececfec78ae8b0bba2fe7330a61b1a3 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 25 May 2017 14:02:10 +0200
Subject: [PATCH 1/2] test_backup_restore: do not fail on missing
 KrbLastSuccessfulAuth

Since FreeIPA 4.5.1 now sets 'Disable last successful auth' option by
default (see https://pagure.io/freeipa/issue/5313), the
'KrbLastSuccessfulAuth' may not always be present on the user entry. The
restored entry checker in backup/restore suite should consider this.

https://pagure.io/freeipa/issue/6956
---
 ipatests/test_integration/test_backup_and_restore.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py
index 833baed366..2899434b9d 100644
--- a/ipatests/test_integration/test_backup_and_restore.py
+++ b/ipatests/test_integration/test_backup_and_restore.py
@@ -58,7 +58,7 @@ def check_admin_in_ldap(host):
 assert entry.dn == user_dn
 assert entry['uid'] == ['admin']
 
-del entry['krbLastSuccessfulAuth']
+entry.pop('krbLastSuccessfulAuth', None)
 
 return entry
 

From e9ca893c5b5785c0e00a0373b43b1a5db3cf1237 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 26 May 2017 12:39:35 +0200
Subject: [PATCH 2/2] Do not delete DS and PKI users during backup/restore
 tests

Since the creation of DS and PKI users is now handled by RPMs and not at
runtime in FreeIPA 4.5.x, we should no longer remove them during
backup/restore tests.

https://pagure.io/freeipa/issue/6956
---
 ipatests/test_integration/test_backup_and_restore.py | 4 
 1 file changed, 4 deletions(-)

diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py
index 2899434b9d..bb648d71b7 100644
--- a/ipatests/test_integration/test_backup_and_restore.py
+++ b/ipatests/test_integration/test_backup_and_restore.py
@@ -23,7 +23,6 @@
 import re
 import contextlib
 
-from ipaplatform.constants import constants
 from ipapython.ipa_log_manager import log_mgr
 from ipapython.dn import DN
 from ipatests.test_integration.base import IntegrationTest
@@ -165,9 +164,6 @@ def test_full_backup_and_restore_with_removed_users(self):
  '--uninstall',
  '-U'])
 
-self.master.run_command(['userdel', constants.DS_USER])
-self.master.run_command(['userdel', constants.PKI_USER])
-
 homedir = os.path.join(self.master.config.test_dir,
'testuser_homedir')
 self.master.run_command(['useradd', 'ipatest_user1',
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#802][comment] Improve cert messages some more + do that for KDC certs as well

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/802
Title: #802: Improve cert messages some more + do that for KDC certs as well

martbab commented:
"""
I would personally prefer to let the output as is (be it verbose) rather than 
spending time on trying to devise some fancy-pants output parsing code that 
would pull in additional bugs and inconsistencies.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/802#issuecomment-304261563
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#701][comment] ipa help doesn't always work

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/701
Title: #701: ipa help doesn't always work

martbab commented:
"""
@neffs please fix pylint error reported in Travis CI:

```console
* Module ipaclient.remote_plugins.schema

ipaclient/remote_plugins/schema.py:519: [E1101(no-member), Schema.get_help] 
Instance of 'dict' has no 'decode' member)

make: *** [pylint] Error 2

Makefile:1175: recipe for target 'pylint' failed
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/701#issuecomment-304254492
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#819][closed] [ipa-4-5] Change python-cryptography to python2-cryptography

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/819
Author: pvomacka
 Title: #819: [ipa-4-5] Change python-cryptography to python2-cryptography
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/819/head:pr819
git checkout pr819
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#819][+pushed] [ipa-4-5] Change python-cryptography to python2-cryptography

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/819
Title: #819: [ipa-4-5] Change python-cryptography to python2-cryptography

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#819][+ack] [ipa-4-5] Change python-cryptography to python2-cryptography

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/819
Title: #819: [ipa-4-5] Change python-cryptography to python2-cryptography

Label: +ack
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#790][comment] RFC: API for reporting PKINIT status

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/790
Title: #790: RFC: API for reporting PKINIT status

martbab commented:
"""
@HonzaCholasta thanks for looking on API, anyone for functional review?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/790#issuecomment-304218253
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#796][+pushed] Move selinux booleans to ipaplatform

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/796
Title: #796: Move selinux booleans to ipaplatform

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#796][closed] Move selinux booleans to ipaplatform

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/796
Author: MartinBasti
 Title: #796: Move selinux booleans to ipaplatform
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/796/head:pr796
git checkout pr796
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#796][+ack] Move selinux booleans to ipaplatform

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/796
Title: #796: Move selinux booleans to ipaplatform

Label: +ack
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#811][+pushed] [4.5] Remove pkinit-anonymous command

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/811
Title: #811: [4.5] Remove pkinit-anonymous command

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#811][+ack] [4.5] Remove pkinit-anonymous command

[martbab via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/811
Title: #811: [4.5] Remove pkinit-anonymous command

Label: +ack
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org